OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)

Hi All,
Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?
Solution walk-through :
A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.
The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.
Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.
Limitations and drawbacks with the current solution :  
1. The private key of OSB system is issued and controlled by an external application vendor.
2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.
3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)
4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.
Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.
So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?
Thanks,
Kunal Singh

Hi Kunal,
Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:
import multiple key-pairs in your identity store
Configure PKI credential mapper to use reference of identity store consisting of multiple keys
When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.
Please let me know if i understood your query correctly and above helps.
Regards,
Ankit

Similar Messages

  • OSB 11.1.1.3 to OSB 11.1.1.7 upgrade

    HI,
    We are planning to upgrade from OSB 11.1.1.3 to OSB 11.1.1.7 as for the Terminal version support availability this was planned.
    My question is as Older versions of OSB did not require us to run the RCU but the latest versions of OSB require to run the OSB for MDS and reporting schemas,
    How do i upgrade the Schema's for OSB?
    i was referring the document for the upgrade
    http://docs.oracle.com/cd/E28280_01/doc.1111/e16793/preface.htm
    Regards
    Gourav

    Change the setDomainEnv.sh file in that set debugFlag=false then, follow the url steps for nodemanager problems.
    url: http://biemond.blogspot.in/2011/04/easy-wy-to-start-your-weblogic-servers.html

  • Why can't Weblogic 12c find Managed Bean by annotation,which in a jar?

    the detail:
    why can't Weblogic 12c find Managed Bean by annotation,which in a jar?

    Hi,
    I got the same problem with weblogic 12c.
    Somehow this guy got it working by using CDI and creating an empty beans.xml, it did not work for me.
    i found the tricky problem is that should put a empty but include the <beans> tag beans.xml file.
    http://www.coderanch.com/t/562233/JSF/java/WebLogic-Eclipse-Indigo-develop-JSF
    I also tried to skip managedbean and use CDI ( @named ) but then I get some jboss weld exceptions on the value attribute of some jsf components.
    I also saw this post
    Can't seem to get a trivial CDI example to work on Weblogic 12c
    I don't use OEPE very often so I'll need to kick this around a little when I get a chance.
    Just as an out there kind of thought, OEPE does use the split-directory model for deployment by default -- perhaps try adjusting it to use the exploded archive model instead, just as a test to see if it removes the error?
    Right click the server config and select Properties > WebLogic > Publishing > Publish as exploded archive
    It seems like the Virtual Application deployment model of OEPE doesn't support CDI.
    thanks
    Edited by: Edwin Biemond on Dec 28, 2011 10:07 PM
    Edited by: Edwin Biemond on Dec 28, 2011 10:25 PM

  • How can  uninstall weblogic from  solaris

    Hi
    How can uninstall weblogic 5.1 from solaris8

    You should simply delete the directory where you installed it.
    Try:
    rm -rf *
    Michael Girdley
    BEA Systems
    Learning WebLogic? http://learnweblogic.com
    "Swaraj K. Pal" <[email protected]> wrote in message
    news:3a9d7b41$[email protected]..
    Hi
    How can uninstall weblogic 5.1 from solaris8

  • Where i can find weblogic implementation of JAX-RPC

    HI,
    where i can find weblogic implementation of jax-rpc...please help.
    Thanks in advance
    Akhil Nagpal

    Hi Akhil,
    This JAX-RPC 1.0 implementation, is in the WLS 7.0 product itself. Refer to the
    following link for details:
    http://edocs.bea.com/wls/docs70/webserv/index.html
    Regards,
    Mike Wooten
    "Akhil Nagpal" <[email protected]> wrote:
    >
    HI,
    where i can find weblogic implementation of jax-rpc...please help.
    Thanks in advance
    Akhil Nagpal

  • Can't listen for connections - Operation not supported

    Hi,
    We have install OSB Client on HP-UX 11i V2 HP rx5670 Server as per Oracle Secure backup Installation Guide.
    But we are getting following error message. Please help us to solve the issue:
    2010/12/29.10:23:02 can't listen for connections - Operation not supported
    # /sbin/init.d/OracleBackup start
    Starting Oracle Secure Backup services daemon.
    2010/12/29.10:23:27 can't listen for connections - Operation not supported
    Thanks
    Khairul/Bangladesh

    Have a look at the observiced.log file to see if that has any more detail, this is in /usr/tmp.
    I would check to see if there is something else on the system that is using TCP port 400 or 10000. On Solaris I've seen the webmin installation using port 10000. Both those ports need to be free for OSB to be able to start.
    With OSB stopped, you can "telnet <hostname> 400" and "telnet <hostname> 10000" to see if it connects. If it does then something is listening on that port.
    You should be able to do "netstat -na" as well, to show you listening ports.
    Rich

  • Does Weblogic server 9.2 provide support for CRL checking

    Does Weblogic server 9.2 provide support for CRL checking?

    No, but you can create a custom CertPath provider for your own implementation.
    Mike
    Weblogic/J2EE Security Blog: http://monduke.com

  • IIS proxy 5.1 and Weblogic 6.1 does not support sticky session

    Dear Sir,
    Our system is migrating from Weblogic 5.1 to Weblogic 6.1. After testing on
    development environment, it is found that IIS proxy for 5.1 plug-in and Weblogic
    6.1 server is perfect match for our case. Since our appliction system hit some
    bugs of IIS proxy for 6.1. In development environment, one IIS match with one
    Weblogic.
    During production launch, another problem found. It seems that IIS proxy 5.1
    plug-in with Weblogic 6.1 does not support the sticky load balancing. A sticky
    service is one where a client sends its requests to the same instance and those
    requests are not redirected to other instances. In production, two IIS match with
    two Weblogic. Below is
    #WebLogicHost=10.0.3.12
    #WebLogicPort=8012
    WebLogicCluster=10.0.3.12:8012,10.0.3.13:8012
    COnnectionTimeoutSecs=10
    ConnectionRetrySecs=2
    ErrorPage=https://www.xxxx.com/eBank/sysnotready.htm
    CookieName=eBankingWebLogicSession
    Anyone have idea on out case?
    Thanks,
    KAI

    My test was with 6.1 SP3.
    The way to tell is by analyzing the cookie(JSESSIONID).
    Perhaps the behaviour changed post SP1. I can't say for sure.
    Eric
    "Gary Rudolph" <[email protected]> wrote in message
    news:[email protected]...
    Is that entirely true concerning you don't need the persistence set to
    replicated in the weblogic.xml to gain sticky load balancing?
    The reason I ask was that in our situation sticky wouldn't work without
    having the persistence set to replicated. This was with NSAPI and WLS 6.1
    SP1. The weblogic servers were configured in a weblogic cluster. So..based
    on this statement we should not have needed to set the persistence, but in
    practice we did for it to work.
    Gary
    "Eric Gross" <[email protected]> wrote in message
    news:[email protected]...
    I just checked, and you are correct. You just need to have clustering
    enabled in 6.1. You do not necessarily need to have persistence set to
    replicated.
    Of course, you won't get failover, but you will get the sticky load
    balancing.
    Regards,
    Eric
    "Ricky Wong" <[email protected]> wrote in message
    news:[email protected]...
    Why do we need to set session persistence to replicate in order to
    perform
    sticky load balancing ? There is no such requirement in WebLogic 5.1.
    As
    far
    as I know, the IIS plugin simply interprets the value of the sessioncookie,
    which should be embedded with the application server address, then
    forward
    the request to that particular application server.
    We didn't use session replication in our environment because not allsession
    variables are serializable.
    "Eric Gross" <[email protected]> wrote in message
    news:[email protected]...
    The problem you mentionned in the other newsgroup post has been
    fixed
    and
    will be in SP4. If you are in production or nearing production and
    need
    a
    resolution now, then please open a case with support.
    You should not need any other parameters to do the load balancing.
    But
    to
    have the sticky load balancing, you must make sure you have session
    persistence set to replicated for the webapp in question.
    I'm not sure I am understanding your 3rd question.
    In any case, my advice is to either wait for SP4 to bereleased(scheduled
    sometime this month) or if you really need to go into production
    soon,
    contact support to obtain the latest IIS plugin.
    Regards,
    Eric
    "Mike" <[email protected]> wrote in message
    news:[email protected]...
    Dear Eric,
    Thanks very much for you kindly information, but we still have thefollowing issues
    regarding the WL IIS proxy:
    1. We have already tried the IIS proxy that comes with WL6.1 SP3.However, the
    result from that version of IIS proxy is not satisfactory, as weexperienced cases
    where the web page is not displayed correctly (as in
    http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.develo
    per.interest.plug-in&item=994&utag=).
    If there is any IIS proxy released after WL6.1 SP3, Could you
    kindly
    give
    us
    a pointer to the plugin?
    2. In WL5.1 case, we are only required to have "WebLogicCluster"
    parameter
    set
    to two weblogic servers in order use the load balancing features.
    In
    WL6.1, we
    do not come across any additional settings required to support
    load
    balancing.
    Is there any such settings required (e.g. in
    config.xml,weblogic.xml,
    application.xml,
    etc?)
    3. Does WL IIS proxy problem has anything to do with the version
    of
    the
    IIS server/windows
    versions that are using? we have already tried with IIS4 and IIS5
    and
    have
    different
    kinds of issues.
    Thanks in advance for your kind assistance.
    Mike
    "Eric Gross" <[email protected]> wrote:
    Yes, the session format has changed when using clustering and you
    cannot
    use
    the 5.1 plugin to proxy to 6.1.
    What problems did you have using the 6.1 plugin? Maybe you need
    the
    latest
    6.1 plugin.
    Regards,
    Eric
    "KAI" <[email protected]> wrote in message
    news:[email protected]...
    Dear Sir,
    Our system is migrating from Weblogic 5.1 to Weblogic 6.1.
    After
    testing on
    development environment, it is found that IIS proxy for 5.1
    plug-in
    and
    Weblogic
    6.1 server is perfect match for our case. Since our appliction
    system
    hit
    some
    bugs of IIS proxy for 6.1. In development environment, one IIS
    match
    with
    one
    Weblogic.
    During production launch, another problem found. It seems
    that
    IIS
    proxy 5.1
    plug-in with Weblogic 6.1 does not support the sticky load
    balancing.
    A
    sticky
    service is one where a client sends its requests to the same
    instance
    and
    those
    requests are not redirected to other instances. In production,
    two
    IIS
    match with
    two Weblogic. Below is
    #WebLogicHost=10.0.3.12
    #WebLogicPort=8012
    WebLogicCluster=10.0.3.12:8012,10.0.3.13:8012
    COnnectionTimeoutSecs=10
    ConnectionRetrySecs=2
    ErrorPage=https://www.xxxx.com/eBank/sysnotready.htm
    CookieName=eBankingWebLogicSession
    Anyone have idea on out case?
    Thanks,
    KAI

  • I have a Macbook Air that had some coffee spilled on the keyboard and as a result the plus/equals key is no longer functioning. Can I use a program like Ukelele to reprogram a different key to be my plus/equals key? Can I program a function key? key

    I have a Macbook Air that had some coffee spilled on the keyboard and as a result the plus/equals key is no longer functioning. Can I use a program like Ukelele to re-program another key to do that function? Can I re-program a function key to do this function?

    Water + electronics do not mix.  Something was damaged insode, and the logic board may be corroding as is.
    Take it to a Genius Bar for an evaluation and repair estimate.
    This is accidental damage and not covered by warranty.

  • I have problem with buying in games , I got the massage that the purchased can not be completed , please contact iTunes support.. I need help for my case please

    I have problem with buying in games , I got the massage that the purchased can not be completed , please contact iTunes support.. I need help for my case please

    http://www.apple.com/support/itunes/contact/

  • I am getting the error "This movie can be played only on displays that support HDCP" when attempting to play a HD movie from iTunes to my TV.  The TV is a Samsung UN46B7000WF w/resolution 1080p

    Hello Apple Community,
    I am getting the message "THis movie can be played only on displays that support HDCP (High-bandwidth Digital Content Protection)."  This is the first time I have tried to watch a HD movie that I bought from iTunes from my iMac to my TV.  (This is also the first attempt to go from my iMac to my TV.)  I have a Samsung LED tv that says it is HDCP compatible with Full HD (1080p) and Native resolution is 1920X1080.  I bought a Rocketfish Thunderbolt to/Mini Displayport to HDMI adapter (says support is up to 1920X1200 video resolution) and Mediabridge ULTRA Series HDMI Cable (35 Feet) - High-Speed Supports Ethernet, 3D and Audio Return category 2 certified (supports resolution up to 4K including 1440p, 1080p, 1080i and lower).
    I can get the iMac to display on my TV but am guessing that I have not managed the settings correctly in Display for either the iMac or the TV.  In addition, I do not have sound yet.  Although, the card from Mediabridge says that I need to update my drivers.  Any help/advice with the settings for iMac to TV to watch in HD and adding HDMI drivers would be greatly appreciated.
    Thank you in advance for your assistance.
    Sincerely,
    Lisa

    Hello All,
    I have figured out the sound issue: System Preferences>Sound and choose the TV for output.
    Regards,
    Lisa

  • How to update weblogic.properties in order to support English & Chinese

    <URGENT PROBLEM>
    hi,
    how to update weblogic.properties in order to support English & Chinese
    version in a sing weblogic server?
    Thanks in advance
    <URGENT PROBLEM>

    If you are using JSP as your mechanism for content display, you should use
    the contentType parameter to specify the character and coding of the JSP
    page any character encoding of the resulting stream. So far, we have not
    done a good job of documenting how to produce localized content in JSP. I
    have filed an issue for the documentation folks to work on it. For now,
    take a look at section 2.7.4 of the JSP specification version 1.1.
    Thanks,
    Michael
    Michael Girdley
    Product Manager, WebLogic Server & Express
    BEA Systems Inc
    fxy <[email protected]> wrote in message
    news:8ffr11$59d$[email protected]..
    <URGENT PROBLEM>
    hi,
    how to update weblogic.properties in order to support English & Chinese
    version in a sing weblogic server?
    Thanks in advance
    <URGENT PROBLEM>

  • I want to share Microsoft word from my desktop mac to my laptop but every timeIi try and do it, it says that it can't open because it is not supported by the software. I have tried several times and updated it on the mac but its still not working.

    I want to share Microsoft word from my desktop mac to my laptop but every timeIi try and do it, it says that it can't open because it is not supported by the software. I have tried several times and updated it on the mac but its still not working. Any ideas?

    You need to install Office on the computer from the installer DVD or disc image you purchased.

  • How can I have mutiple bookmarks toolbars? Not multiple row. Multiple toolbars. With different names.

    I just want multiple bookmark toolbars.
    Right click the ui, choose a toolbar (e.g. "Work", "Visuals") etc.
    That's it.
    Not multiple rows.
    Thanks.

    That is not possible.
    Firefox only has one Bookmarks Toolbar item that can hold the bookmarks.
    So you can only use an extension that supports multiple bookmarks rows to add an extra row if the current last one gets filled up.
    The best workaround is probably to create bookmarks folders on the bookmarks toolbar and open those to access each category.
    *https://support.mozilla.org/kb/Bookmark+folders

  • Can I use the same Apple ID for multiple devices

    Can I use the same Apple ID for multiple devices?

    Yes. Up to five devices can be authorized on a single computer using the same Apple ID. You can also use the same Apple ID on multiple devices is they are all going to use the same iTunes Library by the same user. But it's ill-advised if multiple users are involved who wish to keep their devices separate from the devices belonging to other users.
    How to use multiple iPhone, iPad, or iPod devices with one computer
    Using More than One iDevice on the Same Computer
    This applies mainly to couples who are adding another device and do not want their email, messages, etc. being duplicated on both devices. To begin read: How to use multiple iPhone, iPad, or iPod devices with one computer. You need to establish a separate Apple ID and password for whomever will use the new iDevice. See Apple - My Apple ID and Frequently asked questions about Apple ID. The easiest way is to do this on the computer using iTunes: iTunes- How to set up an Apple ID within iTunes.
    On the computer create a new user account for the person with the new iDevice. This will be the user account that person will always use. He/She will no longer use the other user account. This way that person will have a separate iTunes Library
    Start by transferring the new device(s) to a new account along with all your data.  Save any photo stream photos that you want to keep to your camera roll (unless they are already in the camera roll) by opening your Photos app, tap on Albums icon at the bottom. Now, tap on My Photo Stream album; tap Select; tap on the photos you want to select;, tap the share icon (box with upward facing arrow) in the lower left corner; then tap Save to Camera Roll.
    If you are syncing notes with iCloud that you want to keep then you need to open each of your notes and email them to yourself. Later you can copy and paste the text into new notes created in your new account.
    Tap on Settings > iCloud > Delete Account (only deletes it from this device, not from iCloud; the person keeping the current account will not be affected,) provide the password to turn off Find My Phone and choose Keep on My iDevice when prompted.  Sign in with a different Apple ID to create your new account. Choose Merge to upload your data.
    Once you are on separate accounts, you can each go to icloud.com and delete the other person's data from your account.
    Note: The essence of the above was created by user, randers4. I
    have made substantial changes to improve readability and syntax.

Maybe you are looking for